Class FormAuthenticator

java.lang.Object
org.eclipse.jetty.security.authentication.LoginAuthenticator
org.eclipse.jetty.security.authentication.FormAuthenticator
All Implemented Interfaces:
Authenticator
public class FormAuthenticator extends LoginAuthenticator
FORM Authenticator.

This authenticator implements form authentication will use dispatchers to the login page if the __FORM_DISPATCH init parameter is set to true. Otherwise it will redirect.

The form authenticator redirects unauthenticated requests to a log page which should use a form to gather username/password from the user and send them to the /j_security_check URI within the context. FormAuthentication uses SessionAuthentication to wrap Authentication results so that they are associated with the session.

  • Field Details

  • Constructor Details

    • FormAuthenticator

      public FormAuthenticator()

    • FormAuthenticator

      public FormAuthenticator(String login, String error, boolean dispatch)

  • Method Details

    • setAlwaysSaveUri

      public void setAlwaysSaveUri(boolean alwaysSave)
      If true, uris that cause a redirect to a login page will always be remembered. If false, only the first uri that leads to a login page redirect is remembered. See https://bugs.eclipse.org/bugs/show_bug.cgi?id=379909
      Parameters:
      alwaysSave - true to always save the uri

    • getAlwaysSaveUri

      public boolean getAlwaysSaveUri()

    • setConfiguration

      public void setConfiguration(Authenticator.Configuration configuration)
      Description copied from interface: Authenticator
      Configure the Authenticator
      Specified by:
      setConfiguration in interface Authenticator
      Overrides:
      setConfiguration in class LoginAuthenticator
      Parameters:
      configuration - the configuration

    • getAuthenticationType

      public String getAuthenticationType()
      Returns:
      The name of the authentication type

    • login

      public UserIdentity login(String username, Object password, org.eclipse.jetty.server.Request request, org.eclipse.jetty.server.Response response)
      Description copied from class: LoginAuthenticator
      If the UserIdentity returned from LoginService.login(String, Object, Request, Function) is not null, it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability. If the UserIdentity is not necessarily fully authenticated, then subclasses must override this method and determine when the UserIdentity IS fully authenticated and renew the session id.
      Overrides:
      login in class LoginAuthenticator
      Parameters:
      username - the username of the client to be authenticated
      password - the user's credential
      request - the inbound request that needs authentication

    • logout

      public void logout(org.eclipse.jetty.server.Request request, org.eclipse.jetty.server.Response response)
      Overrides:
      logout in class LoginAuthenticator

    • prepareRequest

      public org.eclipse.jetty.server.Request prepareRequest(org.eclipse.jetty.server.Request request, AuthenticationState authenticationState)
      Description copied from interface: Authenticator
      Called after Authenticator.validateRequest(Request, Response, Callback) and before calling Request.Handler.handle(Request, Response, Callback) of the nested handler. This may be used by an Authenticator to restore method or content from a previous request that was challenged.
      Parameters:
      request - the request to prepare for handling
      authenticationState - The authentication for the request

    • getParameters

      protected org.eclipse.jetty.util.Fields getParameters(org.eclipse.jetty.server.Request request)

    • encodeURL

      protected String encodeURL(String url, org.eclipse.jetty.server.Request request)

    • getConstraintAuthentication

      public Constraint.Authorization getConstraintAuthentication(String pathInContext, Constraint.Authorization existing, Function<Boolean,org.eclipse.jetty.server.Session> getSession)
      Description copied from interface: Authenticator
      Get an Constraint.Authorization applicable to the path for this authenticator. This is typically used to vary protection on special URIs known to a specific Authenticator (e.g. /j_security_check for the FormAuthenticator.
      Parameters:
      pathInContext - The pathInContext to potentially constrain.
      existing - The existing authentication constraint for the pathInContext determined independently of Authenticator
      getSession - Function to get or create a Session.
      Returns:
      The Constraint.Authorization to apply.

    • validateRequest

      public AuthenticationState validateRequest(org.eclipse.jetty.server.Request request, org.eclipse.jetty.server.Response response, org.eclipse.jetty.util.Callback callback) throws ServerAuthException
      Description copied from interface: Authenticator
      Validate a request
      Parameters:
      request - The request
      response - The response
      callback - the callback to use for writing a response
      Returns:
      An Authentication. If Authentication is successful, this will be a AuthenticationState.Succeeded. If a response has been sent by the Authenticator (which can be done for both successful and unsuccessful authentications), then the result will implement AuthenticationState.ResponseSent.
      Throws:
      ServerAuthException - if unable to validate request

    • isJSecurityCheck

      public boolean isJSecurityCheck(String uri)

    • isLoginOrErrorPage

      public boolean isLoginOrErrorPage(String pathInContext)